Re: [squid-users] Denying access to https site

From: Joe Cooper <joe@dont-contact.us>
Date: Mon, 10 Sep 2001 19:53:12 -0500

Is this a transparent proxy? Or are you enforcing usage by blocking
port 80 and requiring proxy use via policy?

If the former, just block access with ipchains to the safeweb IPs
(64.124.150.10, 216.104.228.139 and 216.104.228.137) it appears from
where I'm sitting.

If the latter, start enforcing proxy usage for port 443, as well, and
deny any kind of access to most other ports.

The Triangle Boy stuff is a little more complicated as it is dynamic,
peer-to-peer, and works on ports other than 443.

Eric Engen wrote:

> It was brought to my attention today that our users can go to
> https://www.safeweb.com and from there, surf to wherever their little
> fingers desire, totally avoiding our squid box for filtering purposes.
>
> Adding .safeweb.com to my banned_url dstdomain acl didn't stop it. I think
> it has something to do with the fact that this is a SSL site.
>
> I've searched the FAQs for help, but can't seem to find what I'm looking
> for. Can anyone point me to the info on how to deny access to specific ssl
> sites?
>
> System configuration: 2.3STABLE4 on K6-2 233MHz, RedHat 6.2 OS

                                   --
                      Joe Cooper <joe@swelltech.com>
                  Affordable Web Caching Proxy Appliances
                         http://www.swelltech.com
Received on Mon Sep 10 2001 - 18:47:48 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:07 MST